Answered by:

Question

I have an issue on the CLM server and the CA where periodically I get the error "Cannot Generate the SSPI context". If I restart the SQL CLM instance the problem is rectified. This appears to be related to Kerberos and the ticket expiry. It may be that
this happens if the DB is not accessed for more that the Kerberos ticket validity period. If I look in the security log on the SQL server the error is "unable to logon because of null SID". Once I restart the SQL instance the logon message shows the CLM and
CA servers authentication correctly using Kerberos. The SPNs for the SQL service account register OK. ????

Tuesday, June 07, 2011 2:44 PM

Answers

This turned out to be a Kerberos ticket renewal issue. Use a Klist to dump the ticket list for your service account to see if they are expiring and not being renewed. A third party authentication product was found to be the cause.

Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.